The growth of the Internet has led to the development of numerous technologies for the distribution of content over the World Wide Web. Among these technologies are systems that permit Web content to include executable code, that is sent from a Web server to a Web client, where it is executed. Such “mobile code” or “applets” allow content providers to distribute content that includes programmed behavior, which may be used in a variety of ways. Mobile code systems, such as Java, produced by Sun Microsystems, of Palo Alto, Calif., or Curl, provided by Curl Corporation, of Cambridge, Mass., may greatly enhance the experience of Web users by providing a relatively efficient way for highly interactive or media-rich content to be sent across the Web.
Although such mobile code systems provide access to highly desirable features, they also raise serious security issues. Including executable code in Web content exposes Web users to a variety of attacks. The same systems that provide an efficient way to distribute highly interactive or engaging content also provide a means to distribute malicious code, such as viruses, programs designed to steal information from user's computers, or other damaging programs. Even if such programs are not intentionally distributed, the use of mobile code opens the possibility that errors in executable Web content may have potentially disastrous results on the computers of Web users who view the content. These security issues are made worse by the fact that the highly interactive Web applications that can be designed using mobile code are particularly attractive to Web users, who may be easily induced to view Web pages containing hostile mobile code.
To address these security issues, mobile code systems such as Java typically impose limits on which system resources may be accessed by applets. An applet will typically have only limited access to the file system on a client computer, the CPU, memory, the network resources available to the computer, and so on. Additionally, the programming languages associated with mobile code systems typically include features which enhance security, such as type safety and garbage collection, to prevent inappropriate use of operations on objects, unsafe access to memory resources, memory leakage, and other potential memory-related problems that may be exploited by malicious code.
Unfortunately, despite these efforts, it is difficult or impossible to create a useful programming language or mobile code system that is completely free of security issues. A clever attacker can exploit minor security holes to effectively completely break the security of a mobile code system, and launch a variety of attacks.
Attempts have been made to reduce the possibility of attacks by limiting the locations on a network that may be accessed by an “unprivileged” (or “untrusted”) applet. For example, some mobile code systems permit an unprivileged applet to use a network only to access resources on the server from which the applet was downloaded. While this effectively limits the ability of such untrusted applets to attack computers other than the server that provided the applet and the client computer that downloaded the applet, in can be a severely limiting restriction.